- This article is a Community contribution and may include unsupported customizations.

Purpose

Step by Step Wiki/KB article to install a Let's Encrypt Commercial Certificate.
Disclaimer
The Let’s Encrypt Client is BETA SOFTWARE. It contains plenty of bugs and rough edges, and it should be tested thoroughly in staging environments before use on production systems.
For more information regarding the status of the project, please see https://letsencrypt.org. Be sure to check out the Frequently Asked Questions (FAQ).

Resolution

Let’s Encrypt is a new Certificate Authority: It’s free, automated, and open. It could be an option to protect Zimbra Servers with a valid SSL certificate; however, please be aware that is a Beta for now. Some stuff could not work or have issues, so use it at your own risk.

Installing Let's Encrypt on a Zimbra Server

Let's Encrypt must be installed on one Linux machine to obtain the proper SSL Certificate, CA Intermediate, and Private Key. It is not required that it be on the same Zimbra Server, but it could save time and help to obtain the renewals, etc.

First Step is to stop the jetty or nginx service at Zimbra level

zmproxyctl stop
zmmailboxdctl stop

Second step is to Install git on the Server (apt-get install git/yum install git), and then do a git clone of the project on the folder we want

Note: On RedHat/CentOS 6 you will need to enable the EPEL repository before install.

(This step only happens the first time. This process will not occur when renewing the SSL Certificate if using the same machine.) The process will download all of the OS dependencies that Let's Encrypt needs, and after a few minutes:

Creating virtual environment...
Updating letsencrypt and virtual environment dependencies...../root/.local/share/letsencrypt/local/lib/python2.7/site-packages/pip/_vendor/requests/packages/urllib3/util/ssl_.py:90: InsecurePlatformWarning: A true SSLContext object is not available. This prevents urllib3 from configuring SSL appropriately and may cause certain SSL connections to fail. For more information, see https://urllib3.readthedocs.org/en/latest/security.html#insecureplatformwarning.
InsecurePlatformWarning
./root/.local/share/letsencrypt/local/lib/python2.7/site-packages/pip/_vendor/requests/packages/urllib3/util/ssl_.py:90: InsecurePlatformWarning: A true SSLContext object is not available. This prevents urllib3 from configuring SSL appropriately and may cause certain SSL connections to fail. For more information, see https://urllib3.readthedocs.org/en/latest/security.html#insecureplatformwarning.
InsecurePlatformWarning

The process will ask for an Email Address in case of emergency contact or to recover the lost key.

The process will ask if we agree with the ToS.

In case we run a renewal, or a request for a new FQDN, the process will just take a few seconds.

Let's Encrypt will prompt for the domain to protect, in this lab case (zimbra86.zimbra.io):

The process will take a few seconds to validate and then will end:

IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at
/etc/letsencrypt/live/zimbra86.zimbra.io/fullchain.pem. Your cert
will expire on 2016-03-04. To obtain a new version of the
certificate in the future, simply run Let's Encrypt again.
- If like Let's Encrypt, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le

Where are the SSL Certificate Files?

You can find all your files under /etc/letsencrypt/live/$domain, where $domain is the fqdn you used during the process:

Build the proper Intermediate CA plus Root CA

Let's Encrypt is almost perfect, but during the files the process built, they just add the chain.pem file without the root CA.
You must to use the IdenTrust root Certificate and merge it after the chain.pem

Verifying SSL certificate is not expired

SSL certificates issued by let's encrypt are valid for 90 days during the BETA phase.
You need to check the expiration of your SSL certificate. We can suggest using monitoring tools like Nagios. With nagios plugins there's a command which can check the expiration:

/usr/lib/nagios/plugins/check_http --sni -H '<FQDN>' -C 30,14

A warning will be issued 30 days before the expiration, a critical will be issued 14 days before the expiration.